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^ (57) Abstract: A method for protecting a portable card, provided with at least a crypto algorithm for enciphering data and/or aa- 
tbenticating the card, against deriving the secret key used from statistical analysis of its information lealcing away to the outside 
world in the event of cryptographic operations, such as power-consun^tion data, electromagnetic radiation and the like. The card 
is provided widi at least a shift register having a linear and a non-linear feedback fimtion for creating ciyptographic algorithms. An 
algorithm is applied to the card, which is constructed in such a manna' that the collection of values of recorded leak-information 
signals is resistant to deriving the secret key from statistical analysis of said values. Advantageously, after the k^ has been loaded 

^ into the shift register, the shift te^^ster clocks on, using at least the linear-feedback function. A suitable alternative is loading only 

^ the key into die shift register in the event of a fixed conteat of the shift register. 
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The invention relates to a method for protecting a port6d>le 
card, provided with at least a crypto algorithm for enciphering data 
and/or authenticating the card, against deriving the secret key used 
from statistical analysis of its information leaking away to the 
outside world in the event of cryptographic operations, such as power 
coQSunqption data, electromagnetic radiation and the like, the card 
being provided with at least a shift register having a linear and a 
non-linear feedback ftmction for creating cryptographic algorithms, 
the method con^rising loading data to be processed and a secret key 
in the shift regiister of the card. 

Using a secret key to process input information and/or to 
produce output information is generally known in the event of 
cryptographic devices. Using feedback shift registers is also 
generally known for creating bryfitbgra algorithms. --^v^ iC. . . 

In this connection, data to be consecutively processed smd a 
secret key are loaded into one or more shift registers. Here, the 
sequence of loading data and the key is random. 

Subsequently, the output of the shift register and possibly the 
the shift-register contents are applied, using linear and/ox non- 
linear-feedback, to determine the output of the entire algorithm. 
The input of the shift register then, apart from the data and the 
key, also consists of a linear and a non-linear combination of the 
shift-register contents. 

Such shift registers are generally applied in the event of 
portable cards, such as chip cards, calling cards, smart -card 
products and the like. 

Since the secret key is not known to unauthorised third parties, 
'it is basically in^ssible to..derive either .the .^input.or the^key ;£rom.::x i 
the output of the aigorithnii. ' ' ^ , , i. > 

NOW it has become apparent, however, that for chip cards and the 
like it is possible, in the event of computations, to derive the 
secret key used from a statistical analysis of the power consun^tion 
of the card. Such methods are known as "Differential Power Analysis" 
(s DPA) and are described in the Internet publication DPA Technical 
Information: "Introduction to Differential Power Analysis and Related 
Attacks" by P. Kocher et al.. Cryptography Research, Scui Francisco, 
1998. 
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Said methods are based on the fact that. In practice, with 
cryptographic operations, information is leaking away to the outside 
world in the form of power- consuxnpt ion data, electromagnetic 
radiation and. the like. 

Thus, logical microprocessor units show regular transistor- 
switching patterns which externally (i.e., outside the 
microprocessor) noticeably produce electrical behaviour. 

Xn this manner, it is possible to identify macro 
characteristics, such as microprocessor activity, by recording the 
power consumption amd deriving information on the secret key used by 
way of statistical analysis of the data thus obtained. 

The invention now overcomes said drawback and provides a 
portable card which is resistant to such analyses and therefore 
provides a card which is safe to use. 

The method according to the invention is characterised in that 
~w algorithm is applied to the card which is constructed in such a 
manner that the collection of values of recorded leak- information 
signals is resistcunt to deriving the secret key by way of statistical 
analysis of said values. Advantageously, after loading the key into 
the shift register, the shift register is subsequently clocked on, 
during a specific period of time, severea times, at least making use 
of the linear feedback function. 

A suitable alternative according to the invention is loading 
only the key into the shift register in the event of a fixed content 
of the shift register - 

Xn a first advemtageous embodiment of the invention, there is 
first loaded the key, subsequently clocking on is performed, after 
which the data is loaded. 

In another advantageous embodiment of the invention, the key is first 
loaded, subsequently the data is loaded into the shift register, 
'-'making excliisive -use- of ''the * linear feedback function and subsequently 
the clocking on is performed. 

Xn yet another advantageous embodiment of the invention, the 
data is first loaded, subsequently the key is loaded, making 
exclusive use of the linear feedback function, whereafter clocking on 
is performed. 

The invention will now be further e3q>lained with reference to 
the drawing and the description by way of ncn- limiting example. 

FX6. 1 schematically shows a typical shift register as applied 
with a portable card, such as a chip card and the like. 



wo 01/05090 



3 



PCT/EPOO/04627 



FX6. 2 schematically shows an advantageous solution according to 
the invention, and 

FX6. 3 schMiatically shows another advantageous solution 
according to the invention. 

Referring now to FIG. l, there is shown a feedback shift 
register 1, which is applied in any way suitable for that ptirpose to 
a portable card, not shown for simplicity's sake, such as a chip 
card, calling card and the like, having an input 2 and an output 3. 

The feedback shift register 1 comprises a shift register la, as 
well as a feedback function, which in this case consists of a linear 
function lb and a non^linear function ic having an output 3a. Such a 
feedback shift register, due to its relatively low. costs, is eligible 
for being applied to, e.g., calling cards and the like. The non- 
linear function may see to it that each bit depends on each number of 
key bits. 

'' Shift registers are generally known and their operation will 
therefore not be described in detail. The shift register la consists 
of a series of bits. The length of a shift register is expressed in 
bits; in the event of a length of n bits, it is called an n-bit shift 
register. 

Each time a bit is required, all bits in the shift register are 
shifted 1 bit to the right . The new left bit is calculated as a 
function of the bits remaining in the register and the input. 

The output of the shift register is 1 bit, often the least 
significant bit. The period of a shift register is the length of the 
output series before repetition starts. 

Data is loaded by way of the input 2; the key is loaded, and 
resxilts are produced by way of the output 3 or, if so desired, 3a. 
In a similar situation, however, there may be carried out an attack 
. ..on the secret. key iised^eby way of PPA,.' based/ on power ^ variations of 
' the syst em "in the <*vent* of computations via ' statastical analysis of 
"lecdc data" and error- correcting techniques. 

In this connection, it should be noted that, from a security 
viewpoint, it is desirable to load the key and the data non-linearly 
into the shift register. It has become apparent, however, that in 
the event of calculations, non- linearly loading the key and the data 
into the shift register increases the chance of deriving the secret 
key used thzrough statistical analysis of the power consumption. 

In FIG. 2 and FIG. 3, the same reference numerals as used in 
FIG. 1 refer to the same components. 
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FIG. 2 now shows an advantageous embodiment of the Invention, 
the key first being loaded into the shift register, subseq^^ently data 
being loaded, at least initially, exclusively using the linear- 
feedback fiinction, and then the clocking on (e.g., 100 times or over) 
of the shift register taking place. During loading the data €uid, if 
so desired, the subsequent clocking on, the non- linear function of 
the shift register is deactivated until the shift register has been 
sufficiently clocked on. Then, the non-linear ftmction is switched 
on once again. 

In doing so, the linear -feedback function lb ccutlnues to be 
active . 

Deactivating and activating, as the case may be, the non-linear 
fimction Ic may tsdce place in any way suitable for that purpose, 
e.g., using switches. 

The shift register la is advantageoixsly clocked on so many times 
that the content of aiil ^ ejDement s of the shift register (dej^^ndd ^''6^^ 
large portion of the bits of the key. 

In another advantageous embodiment, after loading the key there 
is first clocked on until the content of all elements of the shift 
register depends on a large portion of the bits of the key. Only 
after said clocking on, the data in the shift register la Is 
permitted to be loaded and non-llneair operations on the content of 
the shift register are also permitted to be effected. 

Clocking on takes place in any way known to those skilled In the 
art and will therefore not be es^lained in further detail. 

For completeness* sake, it should be noted that DPA Is only 
capable of being carried out if there takes place a non- linear 
operation of the data with the key. Since, in addition, the effort 
required for DPA rises exponentially with the ntuhber of key bits on 
which the bits^ in :=^the< shift register depend,, it is achieved in. this 
manner' that/ in the event of stiff Icleht Interim cibciclng ^n <of the" 
shift register la, applying DPA does not result in short-term 
success. 

In FIG. 3, there is shown an advantageous vebrlant of the 
invention, the key having been loaded with a fixed content of the 
shift register (which may also consist purely of zeros) £md clocking 
on the shift register taking place with an active linear and an 
active non-linear feedback ftmction, but without data being loaded 
into the shift register during the clocklng-on period. Xn doing so, 
the input of data into the shift register after loading the key Is 
disconnected from the shift register and is reinstated again after a 
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specific docking-on period. Due t,o tihe fixed consent of the shift 
register, it is not permitted to apply any modifications and an 
unauthorised third party shall not be capable of determining a 
collection of different values of leak data, such as power 
consumption, and subject it to statistical analysis in order to 
retrieve the key. 

In this solution according to the invention, the key may 
therefore be loaded non-linearly, and deactivating the non-linear 
feedback function will not be required. 

In another advantageous embodiment of the invention, in the 
event that the key, after data has been loaded into the shift 
register, is not loaded with the fixed content of the shift register, 
the key is loaded into the shift register using only the linear- 
feedback function, whereafter si2b8eq[uent clocking on is permitted to 
take place. 

After the aforementioned 'description, varioiis modif icatiic>ns of 
the method according to the invention will become apparent to those 
skilled in the art. 

Such modifications shall be deemed to fall within the scope of 
the invention. 



wo 01/05090 



PCT/EP00/04C27 



CIAIMS 

1. A method for protecting a portable card provided with at least a 
crypto algorithm for enciphering data and/or authenticating the card 
against deriving the secret key used from statistical analysis of its 
information leaking away to the outside world in the event of 
cryptographic operati^s, such as power -consumption data, 
electrcxnagnetic radiation and the like, the card being provided with 
at least a shift register having a linear and a non-linear feedback 
function for creating cryptographic algorithms, the method comprising 
loading data to be processed cuid a secret key in the shift register 

of the card, characterised in that an algorithm is applied to the 
card which is constructed in such a manner that the collection of 
values of recorded leak- information signals is resistant to deriving 
the secret key by way of statistical analysis of said values. 

2. The method according to claim l, characterised in that, after 
the key has been loaded into the shift register, the shift register 
subsequently, during a specific period, clocks on several times, at 
least using the linear- feedback function. 

3 . The method according to claim 2 , characterised in that the shift 
register is clocked on for so long that the content of all eloients 
of the shift register largely depend on the bits of the key. 

4. The method according to claim 2 or 3, characterised in that, 
after the key has been loaded and after clocking on, the data is 
subsequently loaded into the shift register. 

5. The method* according: to -either of -thei dsiims 2 .andi3, . : *c .t 
characterised in that afteir the key has laeen" loaded into thie shift"^ 
register, the data is loaded using only the linear- feedback function 
and the shift register subsequently clocks on. 

6. The method according to any one of claims 2 to 5, characterised 
in that clocking on the shift register takes place with an active 
linear- feedback fvinction and a non-active, non-linear feedback 
function of the shift register. 
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7. The method according to any one of claims 2 to 6, characterised 
in that clocking on the shift register takes place with an active 
linear and an active non- linear feedback function of the shift 
5 register, no data being loaded into the shift register, however, 

diiring, or prior to, the clocking-on period or prior to loading the 
key. 



8. The method according to any one of claims 5 to 7, characterised 
10 in that the non- linear feedback fimction is deactivated by 

disconnecting the connections thereof with the shift register as well 
as, if so desired, with the input. 

9. The method according to emy one of the claims 4 to 8, 

15 characterised in that the input of data into the shift register after 

loading' the key into the shift register is disconnected from the 
shift register and is reinstated after the aforementioned specific 
period. 



20 10. The method according to any one of the preceding claims 1 to 9, 

characterised in that the key is only loaded into the shift register 
in the event of a fixed content of the shift register. 

11. The method according to any one of the preceding claims 1 to 9, 
2S characterised in that, if the key is not loaded with a fixed content 

of the shift register, the key is loaded into the shift register 
using only the linear- feedback function, whereafter clocking on takes 
place. 



This Page Blank (uspto) 



wo 01/05090 




10/019344 

I»CT/EP0O/04fi27 



lb 



n n-1 n-2 n-3 



3 2 1 




Z2 











la 



























1c 



FIG. 1 



3a 



1b 



n n-1 n-2 n-3 



I I \ 3 2 1 

J_J_ 



/ 4 



5^ 



1c 



3a 



FIG. 2 



lb 



n n-1 n-2 n-3 



3 2 1 











la 



























1c 



Fia3 



3a 



531RBC'dPCT/PT' W-DE{i2m 



^»IS PAGE BLANK 



INTERNATIi 



SEARCH REPORT 



plication No 



I PCT/EP 00/04627 



Acoo«anaioln>einalionalPai8nlCtoa8lfica»ionOPC)w 



CLASSIFICATION OF SinjECTMAlTER ^ 

PC 7 H04L9/12 H04L9/26 



& FIELDS SEARCMEO 



Mr*numdaeum«ntallans8aiched (dassMcation system foliowad by daasifiealion symbols) 

PC 7 H04L 



Documentation searched other than minimum documentatian to the extent that such documents are included in the fields searched 



Bectrenic data base consulted duffng me international search (name of data base and, where piactical. 

EPO-Internal, WPI Data, PAJ, INSPEC 



seamh lemns used) 



C. DOCUMENTS CONSIDERED TO BE RB^VANT 



Category Citation of document, vwlh indication, where appropriate, of the relevant passages 



Relevant to daim No. 



OE 196 22 533 A (DEUTSCHE TELEKOM AG) 
11 December 1997 (1997-12-11) 
abstract 

column 2, line 55 -column 3, line 13 
claim 9 

KOCHER P C: "TIMING ATTACKS ON 

IMPLEMENTATIONS OF DIFFIE-HELLMAN, RSA, 

DSS, AND OTHER SYSTEMS" 

PROCEEDINGS OF THE ANNUAL INTERNATIONAL 

CRYPTOLOGY CONFERENCE (CRYPTO), DE, BERLIN, 

SPRINGER, 

vol. CONF. 16, 1996, pages 104-113, 

XP000626590 

ISBN: 3-540-61512-1 

abstract 

page 112, line 13 - paragraph 3 

-/- 



1.2,4.6. 
7 



1.2.4,6, 
7 



Fuithivdocuiiehte are Gsted in the continuation of box C. 



s 



Patent family members are Gsted in annex. 



" Special categories of cited documents : 

•A" document defining the general state of the art which is not 

considered to be of particular relevarwe 
•E' eaHier documert but published on or after the tntemational 

fiting date 

*L" document wMch may throw doubts on priority claim(s)or 
wNch is cited to establish the piijlicatlon date of another 
citation or other special reason (as specified) 

*0* document referring to an oral dsdosure. use. exNbition or 



'P* doojnent published prior to the international filing date but 
later than the priority date claimed 



later document pidslished after the international filing date 
or priority date arvi rK>t in conflict with the appfication but 
cited to understand the princ^e or theory underiyingthe 
invention 

"X" document of particLtfar relevance: the claimed invention 
cannot t>e considered novel or cannot l>e considered to 
involve an inventive step when the document is taken alone 

"Y* document of paiticUarrelevanoe: the claimed invention 

carviot be considered to involve an aiventive step w^en the 
dociffnent is combined with one or more other such docu- 
ments, such combination being obvious to a personsfcifled 
in the art 

*&* document member of the same patent famay 



Date of the actual comptatian of the international search 



31 August 2000 



Date of mailing of the intematiorud search report 



06/09/2000 



Name and mailing address of the ISA 

European Patent OfAoe. P.B. 5818 Patentiaan 2 
NL.2280HVRqswijk 
Tel. (431-70) 340-204a Tx. 31 651 epo nl. 
Fax: (431-70) 340^16 



Authorized officer 



Holper, G 



Fbrm PCTASAaiO (seoarxl flhael) (Ji^y 1992) 



page 1 of 2 



INTE 



ONAL SEARCH REPORT 




PCT/EP 00/04627 



C(CeiitlnuaHen) DOCUHEtrr:; CONSIDERED TO BE RELEVANT 



Categoiy * Gtatian o( docuriv^ :. «Mth in(icatian,w^ere appropriate, ct the relevant passages 



US 5 36B 585 A (PUHL LARRY C ET AL) 
15 November 1994 (1994-11-15) 
column 4, line 13 - line 61 

UO 98 52319 A (YEDA RES & DEV ;FLEIT LOIS 
(US)) 19 November 1998 (1998-11-19) 
abstract 



Relevant to daim tio. 



Fvm PCTA8AS10 (oontinualian ei saeend ahaeq (My 1992) 



page 2 of 2 



INTERNATlO^p. SEARCH REPORT 

lufofmatlon on patont ffsmlly iiicnibcrA 



pfloatlon No 

PCT/EP 00/04627 



Patent document 


Publication 




Patent family 


Publication 


cfted in search report 


date 




iiiofnb0r(8) 


date 


DE 19622533 A 


11-12-1997 


AU 


3032197 A 


05-01-1998 






CA 


2244126 A 


11-12-1997 






CN 


1221507 A 


30-06-1999 






WO 


9746983 A 


11-12-1997 






EP 


0909434 A 


^ ^% Jl <4 ^^^^^^ 

21-04-1999 


US 5365585 A 


15-11-1994 


BR 


9405567 A 


AA A ^> ^ ^%^%A 

08-09-1999 






CA 


2146439 A,C 


09-03-1995 






EP 


0672273 A 


AA A/% ^ A/>f? 

20-09-1995 






FX 


951946 A 


OP Ail 1 /\nC 

25-04-1995 






GB 


2286274 A,B 


09-08-1995 






HK 


1002338 A 


14-08-1998 






JP 


8503569 T 


16-04-1996 






KR 


168504 8 


15-01-1999 






MO 


9506906 A 


09-03-1995 



UO 9852319 A 19-11-1998 US 5991415 A 23-11-1999 

AU 7568598 A 08-12-1998 
EP 0986873 A 22-03-2000 



FOrni PCT/ISAS10 (paMni tandy onnaD (July 1992) 



Tn\s page Blank luspto) 



